Currently, a device on a network needs to perform all kinds of service control using a policy. For example, in a service execution procedure, a condition is first specified when a certain action needs to be executed, and the corresponding action is executed only when a packet or a data flow meets the set condition. A typical condition includes a condition such as a user dimension, a time dimension, a layer 3 (L3)-layer 4 (L4) (an Internet Protocol (IP) address+a Transmission Control Protocol (TCP) port number) dimension, an layer 7 (L7) protocol dimension, and a uniform resource locator (URL) dimension. A policy matching procedure is a procedure for comparing information of each dimension of a data flow with a set condition of the dimension.
Information of each dimension of a data flow is generally collected by different data processing modules. For example, user dimension information is identified by a user identifying module, time dimension information is identified by a time module, L3-L4 information is identified by an L3-L4 processing module, L7 protocol information is identified by an identifying module, and URL information is identified by a parsing module. If it is expected that there are richer device policies and more controllable dimensions, more data processing modules need to be disposed on the device on the network to collect information of more dimensions.
Generally, each data processing module on the device on the network has a fixed function and is configured to determine collected information according to set logic. For example, a user management module is configured to determine all kinds of preset information of a user that needs to be collected, such as an IP, a mobile phone number, a role, and a class. Therefore, a procedure for collecting dimension information of a data flow becomes a procedure for executing each data processing module. For clear logic on the device, generally, information of the data flow needs to be first collected, then policy matching is performed, and finally an action corresponding to a policy is executed. A disadvantage of the foregoing procedure is that all modules configured to collect information are executed, thereby wasting device performance.
Therefore, a person skilled in the art improves the foregoing method. As shown in FIG. 1, all dimension information of a data flow is first collected; then searching is performed in an information set to determine whether a set condition is met; and if the set condition is met, a corresponding action is executed. That is, all modules configured to collect information are connected in series, and a fixed sequence is set. All flows undergo a same processing process and pass through each module according to the sequence. In this way, when all modules have been executed, information of each dimension is collected completely and can provide a basis for subsequent policy matching. In this method, design is simple, information is complete, and no function is omitted.
However, a disadvantage of the foregoing method is that an execution sequence for all data flows is the same, thereby ignoring a difference between the data flows. Information of different data flows is different. It is obvious that some data flows do not need to pass through a specific module. Therefore, collection of certain redundant information exists during sequential execution, thereby causing extra performance overhead.